Firefox flaws found, fixed

Page Tools

Several security problems exist in the preview release of
Firefox 1.0 and these have been fixed in the final release which
was put up for download two days ago. Users have been advised to
upgrade.

The problems were detailed by the Secunia security advisory
service and include moderately critical bugs that could be
exploited to detect the presence of local files, cause a denial of
service, disclose sensitive information, spoof the file download
dialog, and gain escalated privileges.

Web sites may include images from local resources and these can
be used to determine the existence of local images or cause a
denial of service by referencing device files.

On Windows, there is the potential for stealing passwords via
file shares.

Additionally, the dialog box that comes up during file download
truncates filenames; this can potentially be exploited to spoof
file extensions.

On Mac OS X, Firefox is installed with world-writable
permissions. This means that local users can potentially gain
escalated privileges.

In
September, several highly critical vulnerabilities were fixed
in Mozilla and Firefox and in the email client Thunderbird.

The disclosures come in the wake of a debate over browser
security, and just a week or so after exploit code for some
critical flaws in Internet Explorer was posted to a public mailing
list, resulting in the emergence of a
number of worms that can infect a user with a single click.